8 Simple Tips to Secure a Mac from Malware, Viruses, & Trojans

The recent outbreak of the Flashback trojan (Apple released an update and fix, get it!) has brought a lot of attention to potential viruses and trojans hitting the Mac platform. Most of what you’ll read is overblown fear mongering hype, and practically all Mac malware has come through third party utilities and applications. What that means for the average user is that it’s very easy to completely prevent infections and attacks from occurring in the first place, especially when combined with some general security tips. Without further ado, here are eight simple ways to secure a Mac to help prevent viruses, trojans, and malware from effecting you:

1) Disable Java

Flashback and other malware has installed through Java security breaches. Apple has already released several updates to patch the Java security holes that allowed Flashback to spread (you should install those), but you can also go a step further and completely disable Java on the Mac. Frankly, the average person doesn’t need Java installed on their Mac let alone active in their web browser, disable it and you don’t have to worry about security holes in older versions of the software impacting your Mac.

1a) Disable Java in Safari

Open Safari and pull down the Safari menu, selecting “Preferences”

Click on the “Security” tab and uncheck the box next to “Enable Java”

Disabling Java in the Safari browser is reasonably effective, but why not go a step further and disable it in Mac OS X completely? Chances are high that you won’t miss it, let alone notice it’s disabled.

1b) Disable Java System-Wide in Mac OS X

Open the Applications folder and then open the Utilities folder

Launch the “Java Preferences” application

Uncheck the box next to “Enable applet plug-in and Web Start applications”

Uncheck all the boxes next to “Java SE #” in the list below

2) Update Apps and OS X Software Regularly

Apple regularly issues Security Updates and many third party apps do as well, therefore regularly updating both your OS X System Software and OS X apps are one of the single best preventative measures you can take to keep a Mac secure. We’ve hammered home about this repeatedly as a general Mac OS X maintenance tip because it’s important and so easy to do:

Open Software Update from the  Apple menu and install updates when available

Open the App Store and download available updates

3) Disable or Remove Adobe Acrobat Reader

Adobe Acrobat Reader has had multiple security breaches recently, therefore you’ll be safer without it in your web browser. There’s little reason to have Reader installed on a Mac anyway, OS X includes Preview for viewing PDF’s. Uninstall Adobe Acrobat Reader by running the bundled uninstaller app, or locate the following file and remove it to uninstall the Acrobat browser plugin:/Library/Internet Plug-ins/AdobePDFViewer.plugin

4) Install Anti-Virus Software for Mac OS X

Using anti-virus software on the Mac is likely overkill, but it’s worth mentioning again. We’ve talked about the free Sophos anti-virus here before, and though you probably won’t ever need it, it’s a free and effective way to fight viruses that may end up on the Mac. If you’re the cautious type and you’d rather be safe than sorry there isn’t much harm to using it as a preventative measure:

5) Disable Adobe Flash / Use a Flash Block Plugin

Flash has been used as an attack vector in the past, and Macs stopped shipping with Flash installed for a reason; basically it’s a crash-prone battery hog that has occasional security breaches. Many sites use Flash for video and games though, so instead of uninstalling Flash completely we’ll recommend using a Flash block plugin for your web browser. This causes all Flash to be disabled by default until you click to allow individual plugins and instances of the Flash plugin to run, preventing unauthorized Flash from running in a web browser completely. These plugins are free and available for every major browser:

6) Disable Automatic File Opening After Download

Safari defaults to automatically opening “safe” files after they’re downloaded. For added security, disable this feature and manage the opening of downloads yourself:

Open Safari preferences and click the General tab

Uncheck the box next to “Open ‘safe’ files after downloading”

7) Double-Check Anti-Malware Definitions are Enabled

OS X automatically downloads and maintains a malware definition list which is actively used to combat potential threats and attacks. This is enabled by default, but you can double-check to make sure you’re getting the updates as they arrive by insuring the feature is turned on:

Open System Preferences and click on “Security & Privacy”

Under the General tab look for “Automatically update safe downloads list” and make sure it is checked

You can also check the update list manually if you’re concerned the latest version hasn’t been installed, but as long as you have the feature enabled and have regular internet access, it probably is.

8 ) Don’t Install Random Software You Didn’t Ask For

If you see a random pop-up window asking you to install random software you didn’t request, don’t install it! This may sound like common sense, but it’s actually how some Mac malware propagated in the past. Apple patched the hole that allowed for that to happen a while ago, but the overall message is still relevant: if you didn’t download or request an app to be installed and you’re suddenly confronted with an installation dialog, don’t install it.

That about covers it, but if you have any additional security tips and anti-virus/malware/trojan tips, let us know in the comments.

Related

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Virii as the Latin plural of virus is incorrect for several reasons, the first one of which is the fact that the singular is virus, not virius. See for details. Briefly, the plural ‘viruses’ is acceptable in English, while modern Latin uses ‘vira’.

For the sake of nit-picking the nits on a nit, traditional Classical Latin didn’t actually have a finite correct plural form for ‘virus’. Therefore using the word ‘viruses’ seems perfectly acceptable. Everybody knows what it means, whether used within a medical or computer-based concept. ‘Virii’ seems to be one of those words which makes some of us feel good about ourselves when we’ve been able to use it in polite conversation.

How about:
Having a NOT administrative account as everyday user account, even though Apple creates the first user with administrative rights for everyday use one should use an account without these rights.

“apolohensia”. Perhaps you were looking for apologensia which isn’t actually a word, just something the unintelligent use to try and seem smart. Java isn’t critical to a web browsing experience, but it does help. As for flash, its just a bloated POS whose premise sits back (and belongs) in the last century. Only the packaged content has changed. The sooner it evaporates off the face of the planet, the better, as the security holes it opens your system up to, you can drive a truck through. Nothing was mention about torrent files. Biggest risk you will ever take is to download anything from P2P or torrent files.

Hey its good article, but you what you said is to much…. instead I would suggest you to completely shut down Mac and go to sleep. If mac has security holes, Apple should release updates. It does not mean user should disable all service that he has on his computer. I feel window 7 i better….

“…Frankly, the average person doesn’t need Java installed on their Mac let alone active in their web browser…”

…except for the average person who uses net-banking, since the majority of banks use Java for their login certification (Danske Bank, Deutsche Bank, IngDiba, just to name a few of the *international* banks).

NemID in Denmark use java. You use NemID to log on basically everything. Your bank, ensurance, tax office, pension etc. etc. quite the exact opposite of what is stated in this article. Everybody needs Java.

i don’t think any of it is for good,, this os x daily sales anti viruses once we follow them we might needed anti virus then,, there is no yet found virus for mac which is true,, just update software is better,,

I wish that Sophos would stop keep appearing in articles like this as ‘recommended’ anti-virus products; I had the product installed for six months and it made my MBPS vet unstable and when I logged a numbe of calls with Technical Support I was ignored over and over again. I got Customer Services involved in the end and pointed out that they treated their customers with contempt! My suggestion is not use it

LOL.. thought I test blogger’s theory about “the average person doesn’t need Java installed on their Mac let alone active in their web browser, disable it and you don’t have to worry about security holes in older versions of the software impacting your Mac.”

Woke up this morning forgetting I had done this late last night…. and did my usual mosey’ing around the web.. wondering what in the world is going on with all these internet sites not working properly.

Anyone has to worry when anti virus software companies make hundreds of millions of dollars each year out of the existence of viruses. It’s in their interests that viruses exist. Has anyone wondered who writes viruses and why?

I have been saying that for years!!!!! I have been trying to get my grandfather from PC to Mac and he just keeps saying way to expensive. I said you get what you pay for.You pay that 1,200 to 2,000 on a Mac and you turn it on and thats it. As to Windows you have to buy AntiVirus; then you still get virus’s and have to pay all kinds of money to get it fixed.He goes but I never paid anyone to fix it and says “you do it for me”! I said do you have any idea how much money you would owe me if I was a company like Geek Squad or Radio Shack.Literally 5k pop pop I said and I am not exaggerating at all.Then I said don’t you think if Bill Gates wanted a SOLID computer on the market don’t you think h would have done it by now!!! He wants you to get catastrophic Trojans,virus’s,and everything else under the son.They all do!!!! He won’t break. I told him next time (which will be any day now) I am not taking all day to use them ComboFixes.Thats old school shit for me! And I am sticking to my word.Anyway great article hear I learned something new today!!

when you say remove — do I cick “delete” that file (AdobePDFViewer.plugin) after I navigated to it

and then the viewer is “uninstalled”?
—–
1b) Disable Java System-Wide in Mac OS X
I could not see the check box at the top to uncheck
I am on 10.6x
is this a 10.7x option?
—–
I use firefox not Safari
for 1a) Disable Java in Safari
option Enable Java, was there but on a different tab

for 6) Disable Automatic File Opening After Download
I could NOT find option in Firefox to uncheck
—-
thx again

I’d recommend a free, Windows 7 tried and true, security suite which is now available for Mac OS : comodo internet security (google it). It’s been very effective on my PC, and it has cleaned up my Macbook

I’ve just downloaded and installed Sophos Anti-Virus software, and it says there are 5 virus/malware. I’ve also scanned with ClamXav and Flashback and BOTH these softwares say my iMac isn’t infected. So why the discrepancy? I suspect Sophos – coming from a company that SELLS and HOPE to sell (more) anti-virus softwares is merely listing the virus/malwareinfection so that we end up buying their software. I’m uninstalling Sophos. This message/feedback is to warn users not to bother installing the Sophos anti-virus software. Plus, based on the feedback from users, I still haven’t heard of any saying their Macs have ACTUALLY being infected.

Keep your junk up to date and quit being so paranoid. The most secure windows system is less secure than a wide open unix system. A java exploit that does absolutely nothing hits the front page news because it affected macs. A webpage that tells the user to sudo rm -rf / would do more damage.

I had trouble using GoToWebinar after following all the tips in this article. Had to re-enable Java in Safari and OS-wide Jave Preferences, had to check both boxes again. Now it works.
So if you want to follow this article’s suggestions, you’ll be unable to look at some important webinars.

“Keep your junk up to date and quit being so paranoid.” – It’s nonsense like this, that makes Mac users so vulnerable. First off, OS X is *not* Unix – It’s a Mach/BSD hybrid kernel. Second, Macs have only been “safe” because of security through obscurity – only 5% of the world’s population uses them, thus those who write viruses didn’t much bother…yet in security test after security test, OS X has proven to be indeed rather vulnerable, and it’s only a matter of time. If ill-willed coders have a change of heart and decide to focus more on Macs, stuff like Flashback is only the beginning, sorry to say.

“OS X is *not* Unix”
Bullsh*t! Mac OSX 10.5 was certified SUSv03 (Ars article : http://bit.ly/TtdBY ) Whilst it’s true that the smaller user base makes Macs a smaller target, the potential is certainly there, especially as they have a better trust level. Almost all weaknesses in the Mac arise from 3rd party software, particularly Adobe products, or from social engineering.

I run ClamXav, mainly because they have NO interest in selling you anything, I use ClicktoPlugin in Safari and I don’t run as admin. Thus, with a little bit of intelligence, I’m fairly safe.

OS X *is* Unix certified, the XNU “X is *not* Unix” kernel is POSIX complaint. Macs have been “safe” because of good architectural design. It has nothing to do with the world’s population that use a Mac.

And I use a separate old dedicated Windows PC to do all banking and financial activity. All email from banks and places that involve money transactions go to a dedicated email address used by that computer. No other email is processed. Unknown email is auto-deleted. Op Sys and anti-virus always updated. PC never used to web surf or visit non-banking non-financial merchant sites. And it is backed up. Runs minimal plug ins and add ons. The ONLY thing that is 100% is that eventually something will go wrong. But I feel in this way I improve my data security.

Wish I had left things alone. I went through all the steps with each browser I use, and now everything is messed up. I can’t scan a check to my bank that I used to be able to, the images on web pages do not load properly…..Is there any way to put things back the way they were before, if I am not using Time Machine on my Macbook Pro?

I found I got more troubles after turning off Java. For instance, I couldn’t make MATLAB start until I remembered it uses Java. My work heavily depends on MATLAB, I almost got myself a heart attack for it.

Generally Mac computers are immune to malware threats. A number of users have strong belief that their system and data are completely safe just because they’re using Mac OS X. But they should think about Mac safety or security. Every Mac user should install antivirus so that they could aware of new virus update and keep their Mac secure and yes backup is also a good idea for the safety of data.

[…] the average user, we’ve recommended keeping Java disabled as one of the primary means of protecting a Mac against potential malware, viruses, and trojans. In fact, the newest versions of OS X require that Java be installed manually to help mitigate […]

I found that I needed Adobe Reader on my MBP (Snow Leopard) in order to fill out a PDF form from the VA. Preview would not work. The question then becomes, which application to use as the default PDF viewer? I’d choose Preview. And, before using Adobe Reader on a trusted PDF, I’d open it and check for updates.

[…] it actually uninstalls the Java applet plugin from all web browsers on the Mac. This is done as a security precaution to protect against potential malware, which has consistently used Java exploits as a means of attack. With Java removed from the browser […]

its called xprotect, people feel proud about macs not needing antivirus ,better call it xprotec it will help you to sleep, many people when hit by a virus apple will replace the hdd to hide the virus i tell that cos my cousin ist a former apple worker, you don t know how many healthy hdd are replaced to hide the presence of virus in macs, you replace the hdd and you gotta install os x that s how you hide it people will never know an d will sleeo happy

its amazing how people get neurotic about virus on osx, they say doesnt exist its like a forbidden word , they can be called malware, the true is that kaspersky blog said there is several like flashback, i would ask the people who claim it doesnt exist where they get the info or they can bear the idea, they exist no matter users get neurotic ,the experts like kaspersky claimed that , there is no security expert that claims there is no virus, flashback can install with no user intervention, its very funny what the little word “virus” can do to the apple users

I purchased my Mac in November 2015. Like the above reader, is there an update to this article, please? I spoke to an Apple staff member on the telephone in December 2015 about installing my Avast antivirus on the Mac and was given the advice to do so. For the past two weeks I have constant alerts on the screen from the Avast programme telling me that they have blocked a suspected Trojan. I get about 30 of these a day coming from the same source, and it is driving me insane. Yesterday Avast blocked the Silverlight program, which is used to watch Now TV football, therefore disabling viewing this on the Mac. Last week I was able to use Silverlight to view without a problem.
Do I need the antivirus on the Mac, it is posing an annoyance presently. I have the same programme installed on my Windows PC and am not having the same issues, there are no pop up alerts on that machine. Any advice would be much appreciated. I would add that I bank online so do need to be secure.

So do you advise uninstalling Avast antivirus from my Mac and leave Apple and the apps to do the monitoring of mail traffic, etc. The programme is constantly alerting me of it blocking suspected Trojans in mail, from one particular source.